Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
attackerkbAttackerKBAKB:13130520-C101-492F-A46D-2493829D51D8
HistoryFeb 11, 2020 - 12:00 a.m.

CVE-2020-0668

2020-02-1100:00:00
attackerkb.com
9

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

JSON

An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory, aka ‘Windows Kernel Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2020-0669, CVE-2020-0670, CVE-2020-0671, CVE-2020-0672.

Recent assessments:

bwatters-r7 at April 27, 2020 4:17pm UTC reported:

This is a complex and poorly-defined vulnerability.
Microsoft’s description from <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0668&gt; is essentially useless:
“An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. “

There is little surprise that there exists some confusion about the vulnerability.

Contrary to the earlier poster, I do not believe that this is a System Orchestrator bug. I agree with <https://packetstormsecurity.com/files/cve/CVE-2020-0668&gt; and think the vulnerability is in the Remote Access Service. Part of the confusion is that the vulnerability is a file overwrite vulnerability, and many PoCs are leveraging a dll-hijacking vulnerability in the system orchestrator service to gain code execution after the trusted file write takes place.

The Remote Access Service runs as system and creates a log of its actions called RASTAPI.LOG. Once the RASTAPI.LOG reaches a defined size, the Remote Access Service copies RASTAPI.LOG to RASTAPI.OLD in the same directory.
The issue is twofold. First, the behavior of the Remote Access Service Tool API is defined by three registry keys:
HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI\EnableFileTracing
HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI\FileDirectory
HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI\new_size
These three registry keys allow a user to turn on the RASTAPI and configure the size and location of the log file. These registry keys are writable by a regular user.
The second issue is that the RAST service performs only a trivial check on the filesystem location of the RASTAPI.OLD destination. If an attacker creates a filesystem link between the old log destination (i.e. C:\users\user\temp\RASTAPI.OLD) and a trusted location (C:\windows\system32\badfile.dll), RASDIALER will copy the old log file to the linked location as the SYSTEM user. Because there is a file hijacking vulnerability in the System Orchestrator service, many PoCs use the location C:\Windows\System32\WindowsCoreDeviceInfo.dll, which does not exist in a default configuration, but System Orchestrator Service will load if it does exist,

The attack looks something like:

  1. Gain lower-privileged access to a vulnerable target.
  2. Create a dummy directory to hold files.
  3. Mount the dummy directory to \RPC Control
  4. Upload a dll payload
  5. Create a link between \RPC Control\RASTAPI.LOG and the uploaded payload
  6. Create a link between \RPC Control\RASTAPI.OLD and the destination location the attacker would like to write (in this example, C:\Windows\system32\WindowsCreDeviceInfo.dll)
  7. Write the registry keys to turn on FileTracing, set the file directory to the dummy directory, and set the max file size to one byte less than the size of the payload,
  8. Upload a configuration file for the rasdialer
  9. Launch the rasdialer. When RAST service kicks off, it tries to write a log file to the directory specified in the registry, but it finds one already exists, and it is already full, so RAST service then copies the file to the “old” location that’s linked to the trusted location. The result is an arbitrary file write to a trusted location.
  10. At this point, the overwrite is complete. PoC’s leverage the System Orchestrator service to get execution of the overwritten dll file by launching the system orchestrator.

Many PoC exploits leverage <https://github.com/googleprojectzero/symboliclink-testing-tools&gt; which allow for the manipulation of symbolic links and mount points and also <https://github.com/itm4n/UsoDllLoader&gt; to start the System Orchestrator service to launch the dll.

While the exploit is difficult, there are several PoC exes out there, and a metasploit module in progress, so I consider the exploitability relatively easy, though the exploit itself is difficult.

FULLSHADE at April 21, 2020 5:01pm UTC reported:

This is a complex and poorly-defined vulnerability.
Microsoft’s description from <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0668&gt; is essentially useless:
“An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. “

There is little surprise that there exists some confusion about the vulnerability.

Contrary to the earlier poster, I do not believe that this is a System Orchestrator bug. I agree with <https://packetstormsecurity.com/files/cve/CVE-2020-0668&gt; and think the vulnerability is in the Remote Access Service. Part of the confusion is that the vulnerability is a file overwrite vulnerability, and many PoCs are leveraging a dll-hijacking vulnerability in the system orchestrator service to gain code execution after the trusted file write takes place.

The Remote Access Service runs as system and creates a log of its actions called RASTAPI.LOG. Once the RASTAPI.LOG reaches a defined size, the Remote Access Service copies RASTAPI.LOG to RASTAPI.OLD in the same directory.
The issue is twofold. First, the behavior of the Remote Access Service Tool API is defined by three registry keys:
HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI\EnableFileTracing
HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI\FileDirectory
HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI\new_size
These three registry keys allow a user to turn on the RASTAPI and configure the size and location of the log file. These registry keys are writable by a regular user.
The second issue is that the RAST service performs only a trivial check on the filesystem location of the RASTAPI.OLD destination. If an attacker creates a filesystem link between the old log destination (i.e. C:\users\user\temp\RASTAPI.OLD) and a trusted location (C:\windows\system32\badfile.dll), RASDIALER will copy the old log file to the linked location as the SYSTEM user. Because there is a file hijacking vulnerability in the System Orchestrator service, many PoCs use the location C:\Windows\System32\WindowsCoreDeviceInfo.dll, which does not exist in a default configuration, but System Orchestrator Service will load if it does exist,

The attack looks something like:

  1. Gain lower-privileged access to a vulnerable target.
  2. Create a dummy directory to hold files.
  3. Mount the dummy directory to \RPC Control
  4. Upload a dll payload
  5. Create a link between \RPC Control\RASTAPI.LOG and the uploaded payload
  6. Create a link between \RPC Control\RASTAPI.OLD and the destination location the attacker would like to write (in this example, C:\Windows\system32\WindowsCreDeviceInfo.dll)
  7. Write the registry keys to turn on FileTracing, set the file directory to the dummy directory, and set the max file size to one byte less than the size of the payload,
  8. Upload a configuration file for the rasdialer
  9. Launch the rasdialer. When RAST service kicks off, it tries to write a log file to the directory specified in the registry, but it finds one already exists, and it is already full, so RAST service then copies the file to the “old” location that’s linked to the trusted location. The result is an arbitrary file write to a trusted location.
  10. At this point, the overwrite is complete. PoC’s leverage the System Orchestrator service to get execution of the overwritten dll file by launching the system orchestrator.

Many PoC exploits leverage <https://github.com/googleprojectzero/symboliclink-testing-tools&gt; which allow for the manipulation of symbolic links and mount points and also <https://github.com/itm4n/UsoDllLoader&gt; to start the System Orchestrator service to launch the dll.

While the exploit is difficult, there are several PoC exes out there, and a metasploit module in progress, so I consider the exploitability relatively easy, though the exploit itself is difficult.

Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 3

Related

prion 5
cve 5
mscve 5
zdi 1
packetstorm 2
metasploit 1
githubexploit 1
zdt 2
rapid7blog 1
nessus 10
mskb 14
kaspersky 2
openvas 8
talosblog 1
prion
prion
Privilege escalation
2020-02-11 22:15:00
Privilege escalation
2020-02-11 22:15:00
Privilege escalation
2020-02-11 22:15:00
cve
cve
CVE-2020-0669
2020-02-11 22:15:00
CVE-2020-0670
2020-02-11 22:15:00
CVE-2020-0672
2020-02-11 22:15:00
mscve
mscve
Windows Kernel Elevation of Privilege Vulnerability
2020-02-11 08:00:00
Windows Kernel Elevation of Privilege Vulnerability
2020-02-11 08:00:00
Windows Kernel Elevation of Privilege Vulnerability
2020-02-11 08:00:00
zdi
zdi
Microsoft Windows Service Tracing Arbitrary File Move Privilege Escalation Vulnerability
2020-02-20 00:00:00
packetstorm
packetstorm
Microsoft Windows Kernel Privilege Escalation
2020-02-28 00:00:00
Service Tracing Privilege Escalation
2020-05-08 00:00:00
metasploit
metasploit
Service Tracing Privilege Elevation Vulnerability
2020-04-17 21:41:00
githubexploit
githubexploit
Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft
2020-02-26 11:37:29
zdt
zdt
Service Tracing Privilege Escalation Exploit
2020-05-09 00:00:00
Microsoft Windows Kernel Privilege Escalation Exploit
2020-03-02 00:00:00
rapid7blog
rapid7blog
Metasploit 2020 Wrap-Up
2020-12-30 15:38:00
nessus
nessus
KB4537762: Windows 10 Version 1803 February 2020 Security Update
2020-02-11 00:00:00
KB4532691: Windows 10 Version 1809 and Windows Server 2019 February 2020 Security Update
2020-02-11 00:00:00
KB4532693: Windows 10 Version 1903 and Windows 10 Version 1909 February 2020 Security Update
2020-02-11 00:00:00
mskb
mskb
February 11, 2020—KB4537762 (OS Build 17134.1304)
2020-02-11 08:00:00
February 11, 2020—KB4532693 (OS Builds 18362.657 and 18363.657) - EXPIRED
2020-02-11 08:00:00
February 11, 2020—KB4532691 (OS Build 17763.1039)
2020-02-11 08:00:00
kaspersky
kaspersky
KLA11662 Multiple vulnerabilities in Microsoft Windows
2020-02-11 00:00:00
KLA11694 Multiple vulnerabilities in Microsoft products (ESU)
2020-02-11 00:00:00
openvas
openvas
Microsoft Windows Multiple Vulnerabilities (KB4532693)
2020-02-12 00:00:00
Microsoft Windows Multiple Vulnerabilities (KB4532691)
2020-02-12 00:00:00
Microsoft Windows Multiple Vulnerabilities (KB4537789)
2020-02-12 00:00:00
talosblog
talosblog
Microsoft Patch Tuesday — Feb. 2020: Vulnerability disclosures and Snort coverage
2020-02-13 08:22:46

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

JSON
Related for AKB:13130520-C101-492F-A46D-2493829D51D8
prion5cve5mscve5zdi1packetstorm2metasploit1githubexploit1zdt2rapid7blog1nessus10mskb14kaspersky2openvas8talosblog1